IBA Compliance Connection

Your go to source for compliance!

We are hiring a third party vendor to print mailing labels for bank event flyer. Can we provide the list of names and addresses to the vendor for producing the labels, without violating our customers’ privacy? Our privacy policy states that we share customer information “for our marketing purposes — to offer our products and services to you.”

by

admin

Yes, you may share a list of customer names and addresses with your printer, provided that you enter into a written contract with the printer preventing it from misusing or losing your customers’ information.

Regulation P permits a bank to share nonpublic personal information with a third party if the sharing is reflected in its privacy policy and is limited by a written contract with the third party. The written contract must prohibit the third party “from disclosing or using the information other than to carry out the purposes for which [the bank] disclosed the information . . . .”

Your bank meets the first requirement for information sharing, since your privacy policy discloses that you will share information with third parties “for our marketing purposes,” which appears to accurately reflect your sharing practices. However, you also must enter into a written contract with the printer that prohibits it from disclosing your customers’ information other than for the purposes of printing and delivering your flyers. In addition, we recommend that the contract require the printer to implement information security measures to protect your customers’ information, based on the Interagency Guidelines Establishing Information Security Standards.

For resources related to our guidance, please see:

  • Regulation P, 12 CFR 1016.13(a)(1) (“The opt out requirements . . . do not apply when you provide nonpublic personal information to a nonaffiliated third party to perform services for you or functions on your behalf, if you: (i) Provide the initial notice in accordance with § 1016.4; and (ii) Enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including use under an exception in § 1016.14 or § 1016.15 in the ordinary course of business to carry out those purposes.”)
  • Regulation P, 12 CFR 1016.4 (“Initial notice requirement. You must provide a clear and conspicuous notice that accurately reflects your privacy policies and practices . . . .”)
  • Interagency Guidelines Establishing Information Security Standards, 12 CFR 208, Appendix D-2 (Federal Reserve Board) (“Each bank shall: . . . (2) Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; . . . .”)
  • Small Entity Compliance Guide, Interagency Guidelines Establishing Information Security Standards (“In particular, financial institutions must require their service providers by contract to (1) Implement appropriate measures designed to protect against unauthorized access to or use of customer information maintained by the service provider that could result in substantial harm or inconvenience to any customer; and (2) Properly dispose of customer information. In addition, the Incident Response Guidance states that an institution’s contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the financial institution’s customer information, including notification to the institution as soon as possible following any such incident.”)